Copy link to clipboard
Copied
Our company has completed a security review of ColdFusion 2021 update 4 and found it is using an outdated version of Tomcat (9.0.60). Does anyone know if Adobe will be updating Tomcat to the latest version (9.0.74)?
Copy link to clipboard
Copied
Good question.
You should put in a Feature Request. If you do, you might want to include the link to the list of Tomcat vulnerabilities.
Copy link to clipboard
Copied
My answer would be: yes, they always do eventually offer an update which updates the Tomcat. But the problem is we don't know when, and it has sometimes lingered for over a year. Also, sadly, we can't update it ourselves, as it's a custom implementation of tomcat.
What's one to do?
1) Well, as bkbk said you can file a bug report (or add a vote to one already created).
2) Another option is to run cf atop a Tomcat that you implement yourself, deploying cf as a war file. That's an option offered on running the cf installer (to create that war file), or it can be created from within the cf admin, package mgt section. This war file can be deployed in tomcat or any Java app server. (Lucee also offers this deployment option of running it as a war file.)
Unfortunately, running such a CF war in production requires a license--and Adobe currently ptevents running as a war if a CF Standard license key is implemented. This is also why Commandbox cannot run cf with a Standard license. I do really wish Adobe would lift that limitation, for both reasons.
Running cf (or lucee) via a war file does entail learning use of aspects of tomcat that normally hidden from those who run cf the "normal" way. Also, various config folders are in quite different locations, which challenges using traditional help resources (written and human). But desperate times call for desperate measures, and I wanted to clarify this is an option.
3) Finally, some folks simply present the situation to their security folks and seek an exception while awaiting Adobe to finally implement the update.
Hope that's a little more clarifying for you, even if more conciliatory than comforting.
Copy link to clipboard
Copied
I raised a bug the same day I added this conversatioin. However, I can not see it so I raised a Feature request. I encourage people to vote for it: CF-4217860
Copy link to clipboard
Copied
Voted. 🙂
Copy link to clipboard
Copied
You missed a chance to ask them to provide a way that we could update tomcat... even if only to updates within the Tomcat version currently running within cf.
As for your missing bug report, are you saying that when you view the front page of the tracker site (which lists all your submissions) you see this one but not that one?
Anyway, I'll add a vote and a comment about this and what I said above.
Copy link to clipboard
Copied
I'll add that at least CF2023 (the final release) now comes (initially) with 9.0.72. Still not 9.0.75 or 74, but a step in the right direction.
Again, time will tell when a CF2021 update may update the Tomcat in CF2021 beyond the 9.0.60 in update 6 (as I write, which last changed in update 4).
I've added this comment to the tracker ticket...but sadly we've heard not a word from Adobe or anyone else.